env-patch
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chineseenv-patch
env-patch
对 $ARGUMENTS 执行补环境方案。
前置条件:已知加密入口(模块 ID、函数名、所在脚本)。如未定位,先用 。
/find-crypto-entryImplement environment patching solution for $ARGUMENTS.
Prerequisites: The encryption entry (module ID, function name, the script it locates in) is known. If not located, use first.
/find-crypto-entry核心概念
Core Concepts
- 是引擎:提供工具函数(
env_core.js/setFuncNative/setObjNative/getNativeProto/wrapFunc/monitor)和诊断报告。引擎不含任何环境存根,复制后不再修改。createProxy - 是策略:所有环境存根、补丁、加载逻辑都写在 run.js 中。每轮诊断后只改 run.js。
run.js - 是参考目录:按诊断报告中出现的 UNDEFINED/ERRORS 按需取用存根代码。
browser-stubs.md
- is the engine: Provides utility functions (
env_core.js/setFuncNative/setObjNative/getNativeProto/wrapFunc/monitor) and diagnostic reports. The engine does not contain any environment stubs, and will not be modified after copying.createProxy - is the strategy: All environment stubs, patches, loading logic are written in run.js. Only run.js is modified after each round of diagnosis.
run.js - is the reference directory: Get stub code on demand according to the UNDEFINED/ERRORS appearing in the diagnostic report.
browser-stubs.md
铁律
Iron Rules
- 禁止修改原始 JS — 下文件只读。
source/下的 JS 副本(main.js / sdk.js / bytecode.js)一旦生成即为定稿,不再修改。所有补丁写在 run.js / sign.js 中。env/ - 必须 require env_core.js — 禁止在 run.js 中重写 setFuncNative / setObjNative / createProxy 等工具函数。所有工具通过 引入,然后调用
const env = require('./env_core')/env.setFuncNative()等。env_core.js 复制后不再修改。如果需要额外 helper,写在 run.js 顶部,但不得重复实现 env_core 已有的功能。env.createProxy() - 先分析 VMP 入口参数 — VMP 入口的依赖数组决定补环境边界。检查的是
typeof chrome !== "undefined" ? chrome : undefined,不是globalThis。必须用window同步。Object.defineProperty(global, name, ...) - 加载顺序是致命的 — VMP 在 的瞬间初始化并读取环境,之后不可更改。run.js 中的代码必须严格按以下顺序:
require()- — 获取工具(第一行)
const env = require('./env_core') - 构建存根对象(document / navigator / location 等)
- — 阻断 Node 泄露 + 挂载全局
env.init({ window, document, navigator, location }) - 额外环境补齐 — performance、chrome 等全局同步
- — 加载目标 JS
require('./main.js') - 测试签名
- 格式验证优先于请求验证 — 签名长度/前缀与浏览器不一致 = 降级,即使 HTTP 200 也是假阳性。
- Modification of original JS is prohibited — Files under are read-only. JS copies under
source/(main.js / sdk.js / bytecode.js) are final once generated and will not be modified. All patches are written in run.js / sign.js.env/ - Must require env_core.js — It is forbidden to rewrite utility functions such as setFuncNative / setObjNative / createProxy in run.js. All utilities are imported via , then call
const env = require('./env_core')/env.setFuncNative()etc. env_core.js will not be modified after copying. If you need additional helpers, write them at the top of run.js, but do not reimplement functions already available in env_core.env.createProxy() - Analyze VMP entry parameters first — The dependency array of the VMP entry determines the boundary of environment patching. checks
typeof chrome !== "undefined" ? chrome : undefined, notglobalThis. Must usewindowfor synchronization.Object.defineProperty(global, name, ...) - Loading order is critical — VMP initializes and reads the environment at the moment of , which cannot be changed afterwards. Code in run.js must strictly follow the order below:
require()- — Get utilities (first line)
const env = require('./env_core') - Build stub objects (document / navigator / location etc.)
- — Block Node leaks + mount global variables
env.init({ window, document, navigator, location }) - Additional environment completion — Synchronize global variables such as performance, chrome etc.
- — Load target JS
require('./main.js') - Test signature
- Format validation takes precedence over request validation — Inconsistent signature length/prefix with browser = downgrade, even if HTTP 200 is returned it is a false positive.
模板
Template
| 文件 | 用途 |
|---|---|
| 工具集 + Proxy 引擎 + 诊断报告 |
| 最小 webpack runtime |
复制到项目 后,env_core.js 不再修改。
env/| File | Purpose |
|---|---|
| Utility set + Proxy engine + Diagnostic report |
| Minimal webpack runtime |
After copying to the project directory, env_core.js shall not be modified.
env/执行流程
Execution Process
Step 1: 搭建项目结构
Step 1: Build project structure
<project>/
├── source/ # 原始 JS(下载,不修改)
├── env/ # 运行环境
│ ├── env_core.js # 从模板复制,不改
│ ├── main.js # 目标 JS 副本(或 sdk.js + bytecode.js)
│ ├── run.js # 加载器 + 环境存根 + 测试
│ └── sign.js # 签名接口(最后封装)
├── python/ # 验证脚本
└── docs/progress.md判断场景(按需读取 reference):
| 场景 | JS 文件 | 参考文档 |
|---|---|---|
| 单文件 SDK | 复制到 | — |
| SDK + 字节码分离 | | |
| webpack bundle | 提取模块到 | |
| 运行时动态加载 | curl 下载到 | |
<project>/
├── source/ # Original JS (downloaded, not modified)
├── env/ # Runtime environment
│ ├── env_core.js # Copied from template, do not modify
│ ├── main.js # Target JS copy (or sdk.js + bytecode.js)
│ ├── run.js # Loader + environment stubs + test
│ └── sign.js # Signature interface (encapsulated at last)
├── python/ # Verification scripts
└── docs/progress.mdScenario judgment (read reference on demand):
| Scenario | JS File | Reference Document |
|---|---|---|
| Single file SDK | Copy to | — |
| SDK + bytecode separated | | |
| webpack bundle | Extract modules to | |
| Runtime dynamic loading | Download via curl to | |
Step 2: 首次运行
Step 2: First run
编写最小 run.js,只包含必要存根:
javascript
const env = require('./env_core');
const _process = process; // init() 会隐藏 process,提前保留引用
// ① 构建最小存根(从 browser-stubs.md 取用 document/navigator/location)
const fakeDocument = { /* ... */ };
const fakeNavigator = { /* ... */ };
const fakeLocation = { /* ... */ };
// ② 组装 window
const fakeWindow = {
document: fakeDocument,
navigator: fakeNavigator,
location: fakeLocation,
// ... 按需补充
};
fakeWindow.window = fakeWindow;
fakeWindow.self = fakeWindow;
fakeWindow.top = fakeWindow;
fakeWindow.parent = fakeWindow;
fakeWindow.globalThis = fakeWindow;
// ③ 初始化(Node 泄露阻断 + 全局挂载)
env.init({
window: env.createProxy(fakeWindow, 'window', 0),
document: env.createProxy(fakeDocument, 'document', 0),
navigator: env.createProxy(fakeNavigator, 'navigator', 0),
location: env.createProxy(fakeLocation, 'location', 0),
});
// ④ 额外全局同步
// global.chrome = window.chrome; // 如需
// ⑤ 加载目标 JS
require('./main.js');
// ⑥ 测试
console.log('签名函数:', typeof window.签名函数名);运行 ,读取诊断报告。
node env/run.jsWrite minimal run.js, only include necessary stubs:
javascript
const env = require('./env_core');
const _process = process; // init() will hide process, reserve reference in advance
// ① Build minimal stubs (get document/navigator/location from browser-stubs.md)
const fakeDocument = { /* ... */ };
const fakeNavigator = { /* ... */ };
const fakeLocation = { /* ... */ };
// ② Assemble window
const fakeWindow = {
document: fakeDocument,
navigator: fakeNavigator,
location: fakeLocation,
// ... supplement on demand
};
fakeWindow.window = fakeWindow;
fakeWindow.self = fakeWindow;
fakeWindow.top = fakeWindow;
fakeWindow.parent = fakeWindow;
fakeWindow.globalThis = fakeWindow;
// ③ Initialize (Node leak blocking + global mounting)
env.init({
window: env.createProxy(fakeWindow, 'window', 0),
document: env.createProxy(fakeDocument, 'document', 0),
navigator: env.createProxy(fakeNavigator, 'navigator', 0),
location: env.createProxy(fakeLocation, 'location', 0),
});
// ④ Additional global synchronization
// global.chrome = window.chrome; // If needed
// ⑤ Load target JS
require('./main.js');
// ⑥ Test
console.log('Signature function:', typeof window.签名函数名);Run and read the diagnostic report.
node env/run.jsStep 3: 诊断循环(核心)
Step 3: Diagnosis loop (core)
每轮运行后读取诊断报告,按以下决策树处理:
诊断报告
├── [HANG] 进程卡死/无输出 → 参考 references/anti-debug.md
│ ├── setInterval debugger 死循环 → hook setInterval 过滤
│ ├── eval/Function 动态生成 debugger → hook eval + Function 剥离
│ └── 同步 while(true) → 定位源码,run.js 中 patch 全局
│
├── [ERRORS] → 必须立即修复
│ ├── TypeError: xxx is not a function → 补对应方法
│ ├── xxx is not defined → 补全局变量/构造函数
│ └── Cannot read property of undefined → 补中间对象
│
├── [UNDEFINED] → 逐项处理
│ ├── 先用 evaluate_script 从浏览器获取真实值
│ ├── 浏览器也是 undefined → 跳过(标记为已确认)
│ └── 浏览器有值 → 补到 run.js(从 browser-stubs.md 取用规范写法)
│
└── ERRORS = 0 && UNDEFINED 全部已确认 → 进入签名格式校验
├── 签名长度/前缀与浏览器一致 → Step 4
└── 签名不一致 → 深度排查
├── monitor() 包装关键对象,追踪属性访问
├── 全局错误拦截:process.on('uncaughtException')
├── 对照 references/node-detection.md 逐项检查
└── 所有外部 hook 均无异常 → references/limitations.md每轮操作:
- 读诊断报告
- 从 取用对应存根代码,用
browser-stubs.md的工具编写env_core.js - 只修改 run.js
- 重新运行,回到第 1 步
Read the diagnostic report after each run, process according to the following decision tree:
Diagnostic report
├── [HANG] Process stuck/no output → Refer to references/anti-debug.md
│ ├── setInterval debugger infinite loop → hook setInterval to filter
│ ├── eval/Function dynamically generated debugger → hook eval + Function to strip
│ └── Synchronous while(true) → Locate source code, patch global in run.js
│
├── [ERRORS] → Must be fixed immediately
│ ├── TypeError: xxx is not a function → Supplement corresponding method
│ ├── xxx is not defined → Supplement global variable/constructor
│ └── Cannot read property of undefined → Supplement intermediate object
│
├── [UNDEFINED] → Process item by item
│ ├── First use evaluate_script to get real value from browser
│ ├── Also undefined in browser → Skip (marked as confirmed)
│ └── Has value in browser → Supplement to run.js (get standard writing from browser-stubs.md)
│
└── ERRORS = 0 && All UNDEFINED confirmed → Enter signature format verification
├── Signature length/prefix consistent with browser → Step 4
└── Inconsistent signature → In-depth investigation
├── monitor() wraps key objects to track property access
├── Global error interception: process.on('uncaughtException')
├── Check item by item against references/node-detection.md
└── No abnormalities in all external hooks → references/limitations.mdOperations per round:
- Read diagnostic report
- Get corresponding stub code from , write with utilities from
browser-stubs.mdenv_core.js - Only modify run.js
- Rerun, go back to step 1
Step 4: 封装验证
Step 4: Encapsulation and verification
sign.js:
javascript
const env = require('./env_core');
// ... 环境构建(与 run.js 相同)...
require('./main.js');
module.exports = function sign(url, data) {
// 调用签名函数,返回结果
return window.签名函数名(url, data);
};验证顺序:
- 格式验证 — 签名长度、前缀与浏览器一致
- 请求验证 — HTTP 200 + 业务数据返回
sign.js:
javascript
const env = require('./env_core');
// ... Environment construction (same as run.js) ...
require('./main.js');
module.exports = function sign(url, data) {
// Call signature function, return result
return window.签名函数名(url, data);
};Verification order:
- Format verification — Signature length, prefix are consistent with those from browser
- Request verification — HTTP 200 + business data returned
References
References
遇到具体场景时按需读取:
| 文件 | 何时读取 |
|---|---|
| 进程卡死/极慢,或已知目标有 debugger 反调试 |
| 需要补存根时,查找规范写法 |
| 签名降级(长度/前缀与浏览器不一致) |
| SDK + 字节码分离、多解释器场景 |
| 加密代码从 API 动态加载 |
| webpack bundle 模块提取 |
| 怀疑 localStorage 有控制流开关 |
| 所有外部 hook 无效时,了解方案天花板 |
Read on demand when encountering specific scenarios:
| File | When to read |
|---|---|
| Process is stuck/extremely slow, or target is known to have debugger anti-debugging |
| Need to supplement stubs, look up standard writing |
| Signature downgrade (length/prefix inconsistent with browser) |
| SDK + bytecode separation, multi-interpreter scenarios |
| Encryption code is dynamically loaded from API |
| webpack bundle module extraction |
| Suspect localStorage has control flow switch |
| When all external hooks are invalid, understand the ceiling of the solution |